Admins / Consultants

How to Perform Salesforce Audits: Beyond a Health Check

By Andrea Onhaus

I find the task of auditing my clients’ orgs to be both challenging and fulfilling; I feel like an inspector – a Salesforce Agent (SFA) – when exploring, examining, finding, and exposing every little detail of the org, before presenting my findings to the client.

I have collated some useful tools for creating a Salesforce audit plan that goes way beyond a simple health check.

Why Do We Complete Salesforce Audits?

Working as a consultant when interacting with an org that has been configured by another partner or individual is often more challenging than starting the implementation from scratch.

When I first faced this challenge, I was not able to find a lot of useful information on how to start, what to check, or how to document my findings.

Here are some helpful tips to help you when performing audits:

  • The main purpose of the Salesforce audit is to gain visibility of our client’s org security settings, allowing us to identify and fix any instabilities.
  • It helps as well to reduce gaps in the data and remove processes that waste time and resources.
  • During the process of the audit, not only do you help your client, but it also provides you with the Salesforce Agent (SFA) power to deeply understand the org’s data.
  • Some findings will not necessarily hurt your org, but they might add to the ‘clutter’ – it will be more time consuming to fix them later on.
  • Discover and action technical debt in your org. Again, leaving bad configuration, old or unused data in your org will not necessarily harm it, but it can be seriously time consuming to clean up later in the process.

So let’s dive in, starting with what to check first during the audit.

What Should be Checked During the Audit?

  1. Security settings
  2. Data model
  3. Sharing and visibility settings
  4. Automatization and business processes
  5. Reports and dashboards
  6. Data quality
  7. Best practices in place

Which Tools Can Be Used During the Audit?

1. Salesforce Optimizer

Salesforce Optimizer gives you detailed data right inside your org on more than 50 metrics, covering everything from storage, fields, and custom code, to custom layouts for objects, reports and dashboards, and much more.

2. Salesforce DevTools

This powerful tool helps with:

  • Exporting Object Fields.
  • Exporting Page Layouts.
  • Exporting List View Definition as Excel.
  • Quickly generating test data Apex Code and SOQL.
  • Quickly accessing a new record page, list page, or object setting page.
  • Generating a Salesforce data model (ERDs) as svg.

3. Field Trip

With ZoomInfo Field Trip, you can easily examine the fields of any object and the percentage of records that have this field populated, as well as the overall health of your data. It helps to remove unused, redundant fields in the org.

4. Perm Comparator

Comparing users, profiles, and permission sets has never been easier. Just drag and drop them on to this super user-friendly interface and you will be ready to see and review all of the differences between them.

5. Checkmarx Apex Code Scanner

This tool runs a security scan in the Salesforce org and provides a comprehensive report on risks based on the code quality and security.

6. Manual Checks

Luckily, we can check many things via different apps and extensions. Once I am done with the tools referenced above, I always like to conduct manual checks on the org as well. These checks include:

  • Data storage checks to see my current file and data storage. Go to Administrator > Data Management > Storage Usage.
  • Track license usage of login-based and name-base licenses using the License Usage 1.0 dashboard.
  • Ask if the client has MFA enabled. Reminder: The MFA requirement has been in effect since February 1, 2022. Customers are now contractually required to use multi-factor authentication when accessing products built on the Salesforce platform.
  • Reviewing the client’s automations. Are they using flows instead of Workflow Rules and Process Builder? Reminder: At the end of 2022, Salesforce will be retiring Workflow Rules and Process Builder automations.
  • Review workflows versus trigger implementations.

Next Steps

Categorize, categorize, and categorize!

Make sure, when providing a report/audit sheet for your client, that the issues are categorized based on priority and complexity. Do not forget to include details of how long it will take to fix the issues detailed in the findings.

Yes, this can be tricky, especially the first time as some issues can be fixed quickly, while others need specific workarounds. Try to be as accurate and detailed as possible when providing estimates to your client.

Final Thoughts

Always document everything along with your checks; whether you are using Confluence or an Excel sheet (or any type of external tool) for your findings, by noting down your experience/best practices, you can ensure thorough and accurate work in the future.


The Author

Andrea Onhaus

Andrea is a Salesforce Manager at Nuvolar Consulting who has been working in the Salesforce ecosystem for 7 years. She is 6x certified.


    Ben Norg
    January 03, 2023 4:12 pm
    Thank you for writing up this great article, Andrea! I was excited to see a few tools listed here that I have not used before. I'm in the process of evaluating an instance of Salesforce that was built by a consulting firm and they didn't provide is with any detailed documentation about what was built and why. Therefore, I'm thrilled to learn about some new tools to help me get a better understanding of our current Salesforce implementation. Thanks again!

Leave a Reply